Surpass Web Hosting Forums - View Single Post

H · April 22nd, 2006, 1:25 AM

I don't feel like typing a lot, so I'll keep this short.

What's preventing someone from using a script to view mail within the mail folder? If the folder has read access it's possible.

Sure, PHP can't be executed above public_html, but it can certainly read and write to that area. I do it all the time actually. Whenever I write any new scripts, the database connection is never within the public folder. If I have ownership of the folders, I can go back to root if I wish.

And once again, while 0444 may stop someone from overwriting, there's nothing stopping someone from chmodding that file to 0755 or 0777 prior to overwriting.

Because of the ownership that phpsuexec gives to PHP scripts, they have a lot more freedom with the filesystem. Deny it all you wish.

April 22nd, 2006, 1:25 AM	#12 (permalink)
H after g, before i Resident. Joined in Jul 2004 Lives in N,BC,CA 8,058 posts Gave thanks: 48 Thanked 129 times	I don't feel like typing a lot, so I'll keep this short. What's preventing someone from using a script to view mail within the mail folder? If the folder has read access it's possible. Sure, PHP can't be executed above public_html, but it can certainly read and write to that area. I do it all the time actually. Whenever I write any new scripts, the database connection is never within the public folder. If I have ownership of the folders, I can go back to root if I wish. And once again, while 0444 may stop someone from overwriting, there's nothing stopping someone from chmodding that file to 0755 or 0777 prior to overwriting. Because of the ownership that phpsuexec gives to PHP scripts, they have a lot more freedom with the filesystem. Deny it all you wish.